Radius Load Balancing
We use Radius authentication for our corporate wireless users. I'm looking at load balancing our radius servers for our wireless controllers. We had an issue recently where one of the radius servers went down, all clients connected on that wireless controller to that radius server, lost their authentication. Hence, about 400 people dropped off the network. The server was physically up, but the service was hung. The controllers have both IP addresses of the Radius servers in their configuration. But have no way of knowing if the service is up or not. Only if the server was completely down. My idea is to use the BigiP, use one VIP the controllers point to, and do the health checks. That way the controllers can send to one IP, and the BigIP manages the traffic. Does anyone have experience with load balancing radius. I have already created a VIP, a UDP profile specifying the Datagram LB option. I also created a health monitor which checks radius the port. I would really like to build a good health monitor to actually check authentication and make sure the radius server is online. Any input is appreciated... Thanks....
DNS Query - reply from unexpected source
Hi Guys, I'm new to F5, and something annoy me i can't find why it happen. My topology: Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions : 1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity. but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ? 2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5. [ip@qa-env ~]$ host google.com 8.8.4.4 ;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453 tcpdump show this 22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27) 22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27) 22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43) 22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43 So the packets goes all good until the return packet back to the F5 and then he alter the port! What am i missing ? *remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example. my Virtuals ltm virtual MNG_ALLOW_ALL_OUT { description "Management Rule - Allow All Traffic Outside" destination 0.0.0.0:any ip-forward mask any profiles { fastL4 { } } translate-address disabled translate-port disabled vlans { DNS_LAN LDAP_LAN RADIUS_LAN } vlans-enabled } ltm virtual MNG_QA_ENV_IN { description "Management Rule - Allow Radius traffic in" destination 100.100.100.0:any ip-forward mask 255.255.255.0 profiles { fastL4 { } } translate-address disabled translate-port disabled vlans { CRS1.WAN CRS2.WAN } vlans-enabled }
Load Balancing Web Proxy Servers
Being new to f5 (coming from CSS) I am in the process of migration from CSS to f5, however, I just hit a road block. I'm sure what I am trying to do is possible (it's simple load balancing) but I'm having issue. I have three WebMarshal Web Proxy Servers 1 VIP VIP service port is 8080 Performance L4 rule (I need to do this as I need the VIP to not respond to the port if all pool members are down) Pool has the three servers on 8080 SNAT Auto Map Source Address Affinity Simple, right? Well, when users are accessing HTTPS sites via the LTM to the Proxy servers I get complaints of slowness, timeouts, disconnects. I'm not offloading SSL, I'm using this VIP as more of a pass through to the proxy servers. Am I missing something very obvious? Right now I had to flip the proxy alias back to the old CSS until I can get this stable for the users as it was breaking sites that were required for them to perform their job functions. Any guidance I can get from this community would be much appreciated. Thanks!
